01/09/2010

1

Dirección de Tecnologías de Información COM-16101-001

Seguridad y Tecnologías de Información 1º. de Septiembre de 2010

Dr. Víctor M. González y González

victor.gonzalez@itam.mx

Agenda

1. Relevance of Security in the Enteprise

2. IS Vulnerabilities and Threats

3. IT Security Management Practices

4. Businesss Continuity and Disaster Recovery Planning

01/09/2010

2

Learning Objectives

1. Recognize the business and financial value of information security.

2. Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.

3. Explain key methods of defending information systems, networks, and devices.

4. Understand business continuity and disaster recovery planning methods.

01/09/2010

3

Relevance of Security in the Enterprise

Security Breaches

• Most organizations (82 percent of large ones and 75 percent of smaller ones) assess information security risks now, compared to just 48% who did so in 2008.

• The average number of breaches and cost were up on two years ago. Smaller businesses averaged 11 (six in 2008) breaches with their worst incident of the year costing up to £55,000 (£20,000).

2010 Information Security Breaches Survey– United Kingdom

Infosecurity Europe and PricewaterhouseCoopers LLP)

01/09/2010

4

Security Breaches

• The rate of adoption of newer technologies has accelerated (wireless networking, remote access and VoIP).

• The number of organizations allowing staff to have remote access to their systems has also increase (9/10).

• Organizations have increasingly turned to external providers who host applications on their behalf such as Software as a Service (SaaS) and cloud computing, are now used by over three-quarters of the organizations polled and of these, 44% said they were entrusting critical services to third parties.

2010 Information Security Breaches Survey– United Kingdom

Infosecurity Europe and PricewaterhouseCoopers LLP)

Security Breaches

2010 Information Security Breaches Survey– United KingdomInfosecurity Europe and PricewaterhouseCoopers LLP)

• Larger organizations are being bombarded with attacks:

01/09/2010

5

Security Breaches

Andrew Beard, director, OneSecurity, PricewaterhouseCoopers LLP, commented: “Part of the solution to ensure better security is encrypting data and we see that there has been huge improvements in this area with regard to laptops, USB sticks and other removable media. But educating people is just as important and more companies than ever before now have a security policy, although only 19 percent of respondents from large organizations believed their policy is very well understood by staff. The root cause of this is that investment in security awareness training, while on the increase, is still often inadequate.”

2010 Information Security Breaches Survey– United Kingdom

Infosecurity Europe and PricewaterhouseCoopers LLP)

Video Cases

Security/Data Breaches• Computer Virus Sparks Security

Breach At OUOU officials are urging students to check their bank accounts after a virus may have taken the personal information of students.http://news.yahoo.com/video/oklahomacity-koco-18229979/computer-virus-sparks-security-breach-at-ou-20525361

• Symantec / Security Programme: Understanding Data Breaches:Kevin Rowney, founder of Vontu, about how data breaches happen and steps to take to avoid them.http://www.symantec.com/business/playerdetail.jsp?cid=security_programme_01_sc&ct=us&fp=y&lg=en&sg=enterprise&type=videos

01/09/2010

6

Information Systems Breakdowns Beyond Company Control

Lower Manhattan, the most communications-intensive real estate in the

world. (Photo courtesy of Verizon Communications.)

Information Systems Breakdowns Beyond Company Control

Verizon’s Central Office (CO) at 140 West St., harpooned by steel girders. (Photo courtesy of Verizon Communications..)

300,000 telephone lines and

3.6 million high-capacity data

circuits served by the Verizon

Central Office were put out of

service.

01/09/2010

7

IS Vulnerabilities and Threats

Unintentional Threats

Unintentional threats fall into three major categories:• Human Errors play a role in many computer problems. Errors

can occur in the design of the hardware or information system.

• Environmental Hazards include earthquakes, severe storms, floods, power failures, or strong fluctuations, fires, defective air conditioning, explosions, radioactive fallout, etc. In additional, computer resources can be damages by side effects such as smoke or water.

• Computer Systems Failures can occur as a result of poor manufacturing, defective materials, and outdated or poorly maintained networks.

01/09/2010

8

Intentional Threats

Intentional threats include:• Theft of data

• Inappropriate use of data (e.g. manipulating inputs)

• Theft of mainframe computer time

• Theft of equipment or programs

• Deliberate manipulation in handling, entering, processing, transferring or programming data

• Labor strikes

• Sabotage

• Malicious damage to computer resources

Methods of Attack on Computing Facilities

• Data tampering: it refers to an attack when someone enters false, fabricated, or fraudulent data into a computer, or changes or deletes existing data.

• Programming attacks: use of programming techniques to modify other computer programs. Examples are viruses, worms, and trojan horses.

• Malware: any unwanted software that exploits flaws in other software to gain illicit access.

• Virus: computer code (program) that has the ability to attach itself to and infect other computer programs.

• Worm: Unlike a virus, a worm spreads without any human intervention. Worms use networks to propagate and infect anything attached to them.

01/09/2010

9

Methods of Attack on Computing Facilities

• How a computer virus can spread

Methods of Attack on Computing Facilities

Stage 1: A hacker sends out a

virus or worm over the internet to

infect vulnerable home computers.

This creates a network of slave

machines known as a botnet.

Stage 2: The hacker sells or hires

out the botnet to other criminals

who use it for fraud, spamming,

DDoS attacks and other cyber

crimes.

01/09/2010

10

Video Cases

Cybercrime• Cyber Crime Growing Global Threat

The Internet is often referred to as the Information Superhighway. But there are often shady characters loitering at every exit. As technology grows at increasing speed, "cyber criminals" are keeping law enforcement agencies very busy. http://www.youtube.com/watch?v=ZHmFiueQm5A

• BBC Botnet DDOs Attack http://news.bbc.co.uk/2/hi/programmes/click_online/7940485.stm

http://news.bbc.co.uk/2/hi/programmes/click_online/7932816.stm

• How Cybercriminal steal money by Neil Daswani

• http://www.youtube.com/watch?v=jC6Q1uCnbMo&feature=related

Malware Defenses

• Anti-malware technology: These tools are designed to detect malicious codes and prevent users from downloading them. Anti-malware may not be able to detect a previously unknown exploit.

• Intrusion Detection Systems (IDS): IDS scans for unusual or suspicious traffic. An ID can detect the start of a DoS attack by the traffic pattern, alerting the network administrator.

• Intrusion Prevention Systems (IPS): An IPS is designed to take immediate action – such as blocking specific IP addressees – whenever a traffic-flow anomaly is detected.

• Software: Lavasoft - Adaware

01/09/2010

11

IT Security Management Practices

Defense Strategy

1. Prevention and deterrence. Properly designed controls may prevent errors from ocurring, deter criminals from attacking the system, and better yet, deny access to unauthorized people.

2. Detection. Like a fire, the earlier an attack is detected, the easier is to combat and the less damage is done. Detection can be performed in many cases by using special diagnostic software, at a minimal costs.

3. Containment (contain the damage). The objective is to minimize or limit losses once a malfunction has occurred. This can be accomplished by including a fault-tolerant systems that permits operation in a degraded mode until full recovery is made.

01/09/2010

12

Defense Strategy

4. Recovery. A recovery plan explains how to fix a damaged information systems as quickly as possible. Replacing rather than reparing components is one route to fast recovery.

5. Correction. Correcting the causes of damaged systems can prevent the problem from occurring again.

6. Awareness and compliance. All organization members must be educated about the hazards and must comply with the security rules and regulations.

Figure 5.6

Major defense controls.

01/09/2010

13

Defense Strategy

• Physical controls. Physical security refers to the projection of computer facilities and resources. This includes protecting physical property such as computers, data centers, software, manuals and networks.

• Access controls. Access controls is the management of who is and is not authorized to use a company’s hardware and software. Access control methods, such as firewalls, and access control lists, restrict access to a network, database, file or data.

• Administrative controls. Deal with issuing guidelines and monitoring compliance with the guidelines.

Table 5.5

01/09/2010

14

Information Security Strategy

• A plan

• An example: Tulane University

• http://security.tulane.edu/security-strategy.htm

Businesss Continuity and Disaster Recovery Planning

01/09/2010

15

Business Continuity Planning

Disaster recovery is the chain of events linking business continuity plan (bcp) to protection and recovery.

• The purposes of a bcp is to keep the business running after a disaster occurs. Each function of the business should have a valid plan.

• Recovery planning is part of asset protection.

• Planning should focus first on recovery from a total loss of all capabilities.

• All critical applications musts me identified and their recovery procedures addressed in the plan.

• The plan should be written and kept in a safe place.

Próxima semana

1. Sesión 1: Capítulo 8 – Social Networks - Equipo 4

2. Sesión 2: Presentación: Saul Benavides – DTI

Dudas, preguntas, sugerencias: victor.gonzalez@itam.mx